← Back to home

Security

Last updated: 2026-05-22 · v1.0

This page summarises the technical and organisational measures (TOMs) that suPlay BV applies to protect The Beer Game platform. It is provided for pre-sales transparency and as the §6 reference from the DPA.

Infrastructure

• Hosting in the Netherlands (TransIP / team.blue), within the EU.
• Hardened OS (AlmaLinux 9) with SELinux enforcing, fail2ban, restricted SSH (key-only, non-default port 5022), automated security updates.
• Apache httpd + mod_ssl, PHP-FPM over a Unix socket (no TCP exposure); web tier and app tier on the same host, no cross-host attack surface.
• Encrypted off-site backups to Scaleway Amsterdam, GPG-AES256 encrypted client-side before upload. Daily rotation, 30-day retention on-site, 30-day off-site daily, 12-month off-site monthly.

Data in transit

• HTTPS for all customer traffic; TLS 1.2+; HSTS with long max-age.
• X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, restricted Permissions-Policy — all enforced centrally by SecurityHeadersSubscriber.

Data at rest

• MariaDB 10.11 LTS database on encrypted volumes.
• Off-site backups encrypted with AES-256 and a passphrase held only on the production host.
• Instructor passwords hashed with bcrypt.
• Verification codes and host tokens hashed with SHA-256; raw tokens never stored.

Access control

• Symfony Security with form_login, login throttling (5 attempts / 15 min), and a custom UserChecker that blocks unverified or disabled accounts.
• Roles: ROLE_USER (instructor) and ROLE_ADMIN (platform operator). Admin access is limited to suPlay staff and audit-logged.
• Session ownership and co-host invites enforced server-side on every request — chains cannot be controlled by anyone but their owner / co-hosts.

Application security

• Server-authoritative game engine. Every order, every week-advance, every cost calculation is computed server-side using a deterministic, optimistically-locked (#[ORM\Version]) game state. The client cannot inject game outcomes.
• Stateless CSRF tokens on all state-changing endpoints (Symfony 7.4 SameOriginCsrfTokenManager).
• Rate limiters on instructor_login and verify_code endpoints.
• Doctrine ORM — all queries parameterised; no string-concatenated SQL.
• JSON-in-HTML escaping (JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT) — a player choosing a name like </script>… cannot break out of the embedded JSON.
• No innerHTML with untrusted content; client-side DOM updates use DOMParser + replaceChildren.
• Content-hash asset versioning (App\Asset\ContentHashVersionStrategy) for cache-busting without manual revisions.

Development practices

• PHPUnit test suite: 60+ tests, 700+ assertions covering authentication, session ownership, CSRF, game-engine determinism, and CSV export.
• Smoke E2E test exercises a complete instructor → session → student join → multi-week flow.
• All security-sensitive changes (authentication, sessions, tokens, GDPR / data export / erasure) receive an explicit code review pass before merge.
• Dependencies reviewed on a quarterly cadence.
• Production deployment via a documented one-shot deploy script; asset-map compilation runs as a non-privileged service user.

Incident response

• Application errors captured via Sentry (EU region, PII-scrubbed).
• Personal-data breach notification to affected customers within 72 hours of becoming aware (DPA §9); notification to the Dutch supervisory authority (Autoriteit Persoonsgegevens) within 72 hours where applicable under GDPR Art. 33.
• Security contact: privacy@suplay.nl.

Data location

All primary processing and backups occur within the European Union (Netherlands). All active subprocessors operate in the EU; see /subprocessors.

Responsible disclosure

If you discover a security vulnerability in The Beer Game, please report it to privacy@suplay.nl with a description of the issue and steps to reproduce. We commit to:

• Acknowledge your report within 3 business days.
• Provide a status update within 10 business days.
• Not pursue legal action against researchers acting in good faith.

We ask that you give us a reasonable window to triage and fix before public disclosure, and that you avoid accessing or modifying data that is not your own. Live classes are easily disrupted — please do not run automated load or fuzz testing against the production host without prior written agreement.